
\documentclass[12pt, A4]{article}
\usepackage{enumerate}
\usepackage{amsmath}
\usepackage{graphicx}

\begin{document}
%
% paper title
% can use linebreaks \\ within to get better formatting as desired
\title{Cryptanalysis and Improvements of Robust authentication and key agreement scheme preserving the privacy of secret key}


\author{Chin-Chen Chang, Hao-Chuan Tsai, Hai-Duong Le,Chin-Hsiang Chang}% <-this % stops a space







% make the title area
\maketitle


\begin{abstract}
%\boldmath
The abstract goes here.
\end{abstract}
% IEEEtran.cls defaults to using nonbold math in the Abstract.
% This preserves the distinction between vectors and scalars. However,
% if the journal you are submitting to favors bold math in the abstract,
% then you can use LaTeX's standard command \boldmath at the very start
% of the abstract to achieve this. Many IEEE journals frown on math
% in the abstract anyway.

\section{Introduction}
% The very first letter is a 2 line initial drop letter followed
% by the rest of the first word in caps.
% 
% form to use if the first word consists of a single letter:
% \IEEEPARstart{A}{demo} file is ....
% 
% form to use if you need the single drop letter followed by
% normal text (unknown if ever used by IEEE):
% \IEEEPARstart{A}{}demo file is ....
% 
% Some journals put the first two words in caps:
% \IEEEPARstart{T}{his demo} file is ....
% 
% Here we have the typical use of a "T" for an initial drop letter
% and "HIS" in caps to complete the first word.
%\IEEEPARstart{T}{his} demo file is intended to serve as a ``starter file''
%for IEEE journal papers produced under \LaTeX\ using
%IEEEtran.cls version 1.7 and later.
% You must have at least 2 lines in the paragraph with the drop letter
% (should never be an issue)
%I wish you the best of success.

%\hfill mds
 
%\hfill October 19, 2010

%\subsection{Subsection Heading Here}
%Subsection text here.

% needed in second column of first page if using \IEEEpubid
%\IEEEpubidadjcol

%\subsubsection{Subsubsection Heading Here}
%Subsubsection text here.


% An example of a floating figure using the graphicx package.
% Note that \label must occur AFTER (or within) \caption.
% For figures, \caption should occur after the \includegraphics.
% Note that IEEEtran v1.7 and later has special internal code that
% is designed to preserve the operation of \label within \caption
% even when the captionsoff option is in effect. However, because
% of issues like this, it may be the safest practice to put all your
% \label just after \caption rather than within \caption{}.
%
% Reminder: the "draftcls" or "draftclsnofoot", not "draft", class
% option should be used if it is desired that the figures are to be
% displayed while in draft mode.
%
%\begin{figure}[!t]
%\centering
%\includegraphics[width=2.5in]{myfigure}
% where an .eps filename suffix will be assumed under latex, 
% and a .pdf suffix will be assumed for pdflatex; or what has been declared
% via \DeclareGraphicsExtensions.
%\caption{Simulation Results}
%\label{fig_sim}
%\end{figure}

% Note that IEEE typically puts floats only at the top, even when this
% results in a large percentage of a column being occupied by floats.


% An example of a double column floating figure using two subfigures.
% (The subfig.sty package must be loaded for this to work.)
% The subfigure \label commands are set within each subfloat command, the
% \label for the overall figure must come after \caption.
% \hfil must be used as a separator to get equal spacing.
% The subfigure.sty package works much the same way, except \subfigure is
% used instead of \subfloat.
%
%\begin{figure*}[!t]
%\centerline{\subfloat[Case I]\includegraphics[width=2.5in]{subfigcase1}%
%\label{fig_first_case}}
%\hfil
%\subfloat[Case II]{\includegraphics[width=2.5in]{subfigcase2}%
%\label{fig_second_case}}}
%\caption{Simulation results}
%\label{fig_sim}
%\end{figure*}
%
% Note that often IEEE papers with subfigures do not employ subfigure
% captions (using the optional argument to \subfloat), but instead will
% reference/describe all of them (a), (b), etc., within the main caption.


% An example of a floating table. Note that, for IEEE style tables, the 
% \caption command should come BEFORE the table. Table text will default to
% \footnotesize as IEEE normally uses this smaller font for tables.
% The \label must come after \caption as always.
%
%\begin{table}[!t]
%% increase table row spacing, adjust to taste
%\renewcommand{\arraystretch}{1.3}
% if using array.sty, it might be a good idea to tweak the value of
% \extrarowheight as needed to properly center the text within the cells
%\caption{An Example of a Table}
%\label{table_example}
%\centering
%% Some packages, such as MDW tools, offer better commands for making tables
%% than the plain LaTeX2e tabular which is used here.
%\begin{tabular}{|c||c|}
%\hline
%One & Two\\
%\hline
%Three & Four\\
%\hline
%\end{tabular}
%\end{table}


% Note that IEEE does not put floats in the very first column - or typically
% anywhere on the first page for that matter. Also, in-text middle ("here")
% positioning is not used. Most IEEE journals use top floats exclusively.
% Note that, LaTeX2e, unlike IEEE journals, places footnotes above bottom
% floats. This can be corrected via the \fnbelowfloat command of the
% stfloats package.


\section{Wang et al's scheme}

In this section, we review Wang et al's scheme in brief and then present our cryptanalysis on the scheme.

\subsection{Review of Wang et al's scheme}
In Wang et al's scheme, they proposed a seven-phase authenticated key agreement protocol. The first six phases are used to facilitate authentication and key agreement as well as password changing, revocation of smart card and user eviction. The scheme introduces the seventh phase, namely user anonymity phase, to provides privacy of client's identity and location. 

The system is set up as follows - the server $S$ chooses an elliptic curve $E_p$ over a finite field $Z_p$, then selects a base point $G$ of order $n$,  $n>2^160$, and $n \times G=O$, where $O$ is the point at infinite of the elliptic curve $E_p$.

\subsubsection{Registration phase}
\begin{enumerate}[Step 1]
\item In this phase, each user submits his identity $id_i$ to server
\item The server verifies the user's identity and computes $B_i = h(x\|id_i\|cid_i) \times G$. \{$id_i, B_i,G,E_p$\} are written into the smart card which is issued to user over a secure channel. User identity $id_i$ and card identity $cid_i$ are kept in server's ID table.
\item Upon receiving the smart card, user activates the card and sets a password $pw_i$ for it using a card reader. The smart card computes and stores $B_i' = B_i \oplus h(pw_i)$ into its memory in place of $B_i$.
\end{enumerate}

\subsubsection{Precomputation phase}
In this phase, the smart card computes $T_1 = R \times G$ as a point over $E_p$, where $R$ is a random number. $T_1$ is stored in smart card memory for later use in authenticated key agreement.

\subsubsection{Authentication and key agreement phase}
In order to authenticate with the server, user inserts his smart card into card reader and keys in his password. Then, the user's system communicates with the server to established authentication and key agreement as follows.
\begin{enumerate}[Step 1]
\item First, the smart card computes $B_i = B_i' \oplus h(pw_i)$ and $T_2 = h(R \times B_i)$. Then, it sends login request which is comprised of \{$id_i$, $T_1$, $T_2$\} to the server.
\item When the server receives \{$id_i$, $T_1$, $T_2$\}, it checks user's identity against the ID table. The server then performs computation of $h(x\|id_i\|cid_i)$ and $T_2' = T_1 \times h(x\|id_i\|cid_i)$. If $T_2' = T_2$ holds, the server chooses a random number $W$ in $Z_n^*$; it computes $K = h(W \times T_1)$, $V_1 = h(T_2'\|K)$ and $T_3 = W \times G$. The server sends \{$T_3$, $V_1$\} to user's smart card.
\item Upon receiving reply message \{$T_3$, $V_1$\} from $S$, the smart card computes $K' = h(R \times T_3)$ and $V_1' = h(T_2\|K')$. If $V_1'$ is equal to $V_1$, smart card computes $V_2 = h(R \times B_i\|K'+1)$ and sends \{$V_2$\} to server.
\item Upon receiving \{$V_2$\}, the server authenticates the user's identity successfully if $h(T_2'\|K + 1)$ is equal to $V_2$. Finally, the server and user share a session key $K = K'$.
\end{enumerate}

\subsubsection{Password changing phase}
A user can change his password by simply insert his smart card  into card reader, and then entering his current and new password. Card reader replaces $B'$ with new value $B'' = B' \oplus h(pw_i) \oplus h({new_{pw}}_i)$.

\subsubsection{Revoking smart card phase}
In case a user lost his smart card, he can revoke his lost card and request for a replacement. The procedure of issuing new smart card for a user is similar to procedure in registration phase, server computes a new value of $B_i$, writes($id_i$, $B_i$, $G$, $E_p$) into the new smart card and updates the new card identity ${cid_i}_{new}$ in the ID table. Upon receiving new smart card, the user activates the new card and set his password which is used to compute new value $B_i' = B_i \oplus h(pw_i)$.

\subsubsection{User eviction phase}
The server can evict a user by removing the user's identity from the ID table. If the user tries to login using his smart card and password, he will fail to login since his identity is no longer in ID table.
\subsubsection{User anonymity phase}
In this section, rather than storing user's identity in a smart card, the server replaces identity of user $id_i$ by  an indicator $IND_i$.

\subsection{Cryptanalysis of Wang et al's scheme}
In this section, we show that Wang et al's scheme is susceptible to man-in-the-middle attack. This attack is possible with the assumption that an attacker has ability to intercept network traffic originated from a user. The attacker can impersonate server and deceive a user into forming a communication with the attacker rather than with the legitimate server. 

Suppose that a legitimate user sends his login request to server; a login request message consists of ($id_i$, $T_1$, $T_2$). Attacker intercepts the user's request message sending to server and he does not forward the message to the server $S$. In order to impersonates the server, the attacker chooses a  random number $W$ and computes $K=h(W \times T_1)$, $T_3 = W \times G$ and $V_1=h(T_2\|K)$ using $T_1$, $T_2$ which are sent in the request message. A forged reply message comprised of ($T_3$, $V_1$) is sent back to the user. 

When the user's smart card receives the forged reply message of ($T_3$, $V_1$), it computes $K'=R \oplus T_3$ and verifies whether $V_1$ is equal to $h(T_2\|K')$. It is obvious that the smart card perceive the attacker as the legitimate server, since $K$, $T_3$ and $V_1$ are computed based on user's $T_1$ and $T_2$. The smart card computes $V_2=h(T_2\|K'+1)$ and sends $V_2$ to server, which is masqueraded by the attacker now. After sending $V_2$, the smart card use the session key $K'$, which is equal to $K$, to encrypt subsequent messages sending to server. Upon receiving $V_2$, attacker knows that he had successfully deceived the user to believe that he is the legitimate server. Starting from this point, the attacker can obtain user's confidential information which is supposedly sent to the server $S$. 

Clearly, attacker does not require any secret from the server to compute $K$, $T_3$ and $V_1$; he can impersonate the server and cheat the user $U_i$. Therefore, Wang et al's scheme is unsuccessful in providing the mutual authentication service.

\section{The proposed scheme}
In this section, we propose a new scheme that overcomes the flaws and weaknesses in Wang et al's scheme. The proposed scheme consists of four phases: parameter generation phase, registration phase, login and verification phase, and password changing phase.

\subsection{Parameter generation phase}
In our scheme, server selects a random number $x$, where $x\in Z_p$, as its secret key. In addition, a cryptographic hash function is chosen by the server. The  hash function $h(\cdot)$ is a one-way hash function. 

\subsection{Registration phase}
\begin{enumerate}[Step 1]
\item  A new user $U_i$ submits his identity $ID_i$ to server $S$ for registration.
\item After receiving $ID_i$ from  $U_i$, server $S$ generates random number $r$ and computes the following parameters:
\begin{itemize}
\item $V = h(r\|ID_i\|x) \oplus h(pw_{ini})$, where $x$ is the server's secret key. $pw_{ini}$ is just a initial password given to user by server. When recieving the smart card, user needs to perform smart card activation procedure in which user will change the password from initial password to his own password.
\item $IM = E_{x}(ID_i\|r)\oplus  h(pw_{ini})$, where $E_{x}()$ is a symmetric encryption function with secret key $x$.
\item Server writes $\{V,IM\}$ into a smart card and issues the smart card to $U_i$ together with the initial password $pw_{ini}$.
\end{itemize}

\item When $U_i$ receives the smart card, he performs smart card activation and changes password. $U_i$ inserts the smart card into card reader, then he keys in the initial password $pw_{ini}$ and his new password $pw_i$. The smart card computes  $V_{new} = h(r\|ID_i\|x) \oplus h(pw_i)$ and $IM_{new} = E_{x}(ID_i\|r)\oplus h(pw_i)$. Values of $V,IM$ will be replaced by values of $V_{new},IM_{new}$ respectively in the smart card's memory.
\end{enumerate}

\subsection{ Login and verification phase}
When user $U_i$ wants to login the server $S$, he inserts his smart card into the card reader and keys in his password $pw_i$. Then the smart card executes the following procedure:
\begin{enumerate}[Step 1] 
\item First, the smart card generates a random number $r_1$ and computes $T_1=IM\oplus h(pw)$ is equal to $E_{x}(ID_i\|r)$.Then, it delivers $\{T_1,r_1\}$ to the server.
\item Upon receiving the login request message, $S$ uses its secret key $x$ to decrypt $T_1$, $D_x(T_1)=ID_i\|r$. $S$ generates two random numbers $ r' $ and $r_2$, it performs the following computation:
\begin{itemize}
\item $T_2 = E_x(ID_i\|r')\oplus r_2$.
\item $K_{auth}=h(r\|ID_i\|x)$
\item $T_3= {E_{K}}_{auth}(r_1\oplus r_2\|h(E_x(ID_i\|r'))\|h(r'\|ID_i\|x))$
\item $S$ send message of \{$T_2$, $T_3$\} to $U_i$'s smart card.
\end{itemize}
\item When receiving $\{T_2, T_3\}$ from $S$, the smart card computes $K_{auth}= V \oplus h(pw_i)$. Using the newly computed key $K_{auth}$, $U_i$ decrypts $T_3$, $D_{K_{auth}}(T_3) = r_1\oplus r_2 \| h(E_x(ID_i\|r')\| h(r'\|ID\|x)$. Then $U_i$ verifies $h(E_x(ID_i\|r'))$. If $h(E_x(ID_i\|r'))$ is correct, $U_i$ is assured of integrity and origin of  $T_2,T_3$; otherwise, the card reader will terminate the login process and report failed login.

The card reader computes:
\begin{itemize}
\item $V_{new}= h(r' \| ID_i \|x) \oplus h(pw_i)$ and $IM_{new}= T_2 \oplus r_2 \oplus h(pw_i)$, where $h(r'\|ID_i\|x)$ and $r_2$ are obtained from the prevous decryption of $T_3$. Then, the card reader replace $V$, $IM$ by $V_{new}$ respectively in the smart card's memory.
\item the new session key $K_{SU} = h(r_1\|r_2)$ 
\item $T_4 = h(r_2 + 1)$
\end{itemize}
The card reader send $\{T4\}$ to server $S$.

\item Upon receiving \{$T_4$\}, $S$ checks whether $T_4$ is equal to $h(r_2+1)$. If it is correct, $S$ successfully authenticates $U_i$ and it computes the session key $K_{SU}$.

After the previous step, $S$ and $U_i$ have successfully athenticated each other and shared a seession key $K_{SU}$ for subsequent communication.
\end{enumerate}

\subsection{Password changing phase}
When a user $U_i$ wants to change his password, he inserts his smart card into card reader and enters his current password $pw_i$. First, the card reader tries to authenticates the user against the server $S$. If the authentication is successful, the smart card then requests $U_i$ to keys in his new password $pw_{new}$. Since $S$ limits the number of failed logins, getting $U_i$ authenticated before changing his password will prevent brute force password attacks.

Once $U_i$ is authenticated, the card reader computes $V' = h(r\|ID_i\|x) \oplus h(pw_{new})$ and $IM' = E_{x}(ID_i\|r)\oplus  h(pw_{new})$, and then replace $V$, $IM$ by  $V'$, $IM'$ respectively in the smart card's memory. Now, $U_i$ has successfully change his password.


\section{Conclusion}
The conclusion goes here.

\end{document}



